In October 2025, Kaspersky researchers detected a new wave of targeted cyber‑espionage attacks linked to the threat actor known as “Forumnyy Troll”. This time, the group focused on political scientists, international relations experts, and economists from leading Russian universities and research institutes, using a phishing lure designed to trigger an immediate emotional response: accusations of academic plagiarism.
Phishing Campaign Exploits Fear of Plagiarism in the Academic Community
Victims received emails from the address support@e-library[.]wiki, associated with a website that closely mimicked the official Russian scientific e‑library portal, elibrary.ru. The cloned site copied the design and structure of the legitimate resource, a classic example of a brand impersonation attack aimed at exploiting user trust.
The messages claimed that a plagiarism check had been completed on the recipient’s work and included a link to a detailed report. After following the link, users were prompted to download a ZIP archive named after the recipient. Inside, attackers placed a folder called .Thumbs with benign image files as a decoy, together with a shortcut file that actually launched the malware infection chain.
When the victim clicked the shortcut, malicious code was installed in the background while a blurred PDF document opened in the foreground, ostensibly describing the plagiarism allegations. This distraction technique is typical in modern phishing operations: the user concentrates on the controversial content, overlooking anomalous behavior on the system.
From Chrome Zero‑Days to Social Engineering: Evolution of Forumnyy Troll
This campaign follows earlier activity attributed to Forumnyy Troll in spring 2025, when the group carried out a complex spy operation against Russian organizations. In that earlier campaign, the attackers abused a chain of Chrome zero‑day exploits and distributed phishing invitations to the “Primakov Readings” forum, a high‑profile international relations conference.
Analysis of those attacks led to the discovery of a previously undocumented piece of malware dubbed LeetAgent, with researchers tracing the group’s activity back to at least 2022. The new 2025 campaign indicates a strategic shift: instead of costly zero‑day exploits, Forumnyy Troll now relies more heavily on social engineering and widely available offensive tools, significantly lowering the technical barrier while maintaining high impact.
Dante Commercial Spyware Enters the Threat Landscape
Further investigation of the group’s toolset revealed use of Dante, a commercial spyware platform developed by Italian company Memento Labs (formerly Hacking Team). According to Kaspersky, this is the first documented case of Dante being deployed in real‑world attacks, despite the product having been announced in 2023.
Memento Labs CEO Paolo Letsi reportedly confirmed that Dante belongs to the company, attributing its appearance in the wild to the compromise or misuse of an outdated version licensed to a government customer. This illustrates a broader risk: commercial surveillance tools, once leaked or repurposed, can quickly migrate from “lawful intercept” scenarios into covert cyber‑espionage operations.
Tuoni Red‑Teaming Tool, COM Hijacking, and Stealthy Persistence
At the final stage of the infection chain, the attackers deployed Tuoni, a legitimate red‑teaming framework typically used by security professionals to test defenses. In this context, Tuoni was weaponized as a full‑featured remote access tool (RAT), giving Forumnyy Troll operators control over compromised systems and a foothold for lateral movement inside targeted networks.
To maintain persistence, the group used COM hijacking, a Windows technique where registry keys associated with Component Object Model (COM) objects are modified so that a malicious DLL is loaded instead of the legitimate one. The malware registered itself under the key HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32, ensuring execution whenever the corresponding COM object was invoked. This same tactic, previously observed in the group’s spring operations, points to a stable set of TTPs (tactics, techniques and procedures).
Fastly CDN and Adaptive Command‑and‑Control Infrastructure
The command‑and‑control (C2) infrastructure was engineered to be resilient and difficult to attribute. Forumnyy Troll hosted C2 servers within the Fastly cloud CDN, blending malicious traffic with legitimate content delivery flows. This approach complicates blocking efforts, as indiscriminate filtering of CDN traffic can disrupt normal business operations.
The attackers also served different responses depending on the victim’s operating system and sometimes limited the number of times malicious files could be downloaded from the same address. Such measures hinder malware collection and analysis by security teams and automated sandboxes, slowing down incident response.
Why Academic Researchers Are Attractive Targets for Cyber‑Espionage
Analysis of the fraudulent e‑library site shows it had been active since at least December 2024, indicating months of preparation, including domain registration, content development, and carefully crafted social‑engineering scenarios.
Academics and policy experts are frequent targets for intelligence‑driven threat actors. Their contact details, CVs, and publication lists are often publicly accessible on university and conference websites, making spear‑phishing at scale relatively easy. Lures involving plagiarism, grant applications, peer review, or conference invitations exploit both professional reputation and time pressure, significantly increasing the likelihood of a click.
Industry reports such as the Verizon Data Breach Investigations Report consistently show that phishing remains one of the top initial access vectors in security incidents worldwide. In sensitive areas like international relations, defense studies, and macroeconomics, compromise of an expert’s workstation can provide attackers with early access to policy drafts, confidential correspondence, and strategic analyses.
Given Forumnyy Troll’s continued activity against organizations and experts in Russia and Belarus since at least 2022, basic cyber‑hygiene and institutional preparedness are now critical for the academic sector. Universities and research institutes should deploy up‑to‑date endpoint protection on all devices; verify domains and senders of any messages related to plagiarism, grants, or conferences; avoid opening unexpected attachments or clicking unsolicited links; and conduct regular security awareness training with realistic phishing simulations. Systematic education and clear incident‑response procedures can significantly reduce the success rate of even advanced actors that combine social engineering, commercial spyware, and cloud‑based infrastructure, as demonstrated in the latest Forumnyy Troll campaign.
